Data encryption is commonly used within public and private optical transport networks, for providing security to data transmissions. The encryption and decryption of data transferred over the optical transport network requires the use of encryption equipment at both the originating and terminating ends of a data path.
A symmetric, key-based cryptography system (“cryptosystem”) is a well-known form of data encryption/decryption that is typically applied within synchronous, fiber-optic-based transmission systems applying SONET (Synchronous Optical Network) technology. One of the reasons for its popularity is the enhanced security that it provides through the use of multiple different encryption keys, the encryption equipment at both ends of the data path using the same key sequence. However, the strength of a symmetric key-based cryptosystem gives rise to an important challenge when implementing such a data encryption system, notably ensuring accurate synchronization of the key sequences at each end of the data path. This synchronization of the key sequences is critical in order to ensure that the terminating end of the data path uses the correct key when decrypting an encrypted signal transmission.
Existing key synchronization methods rely on the use of out-of-band signaling to transmit synchronization information over the network. Thus, the key synchronization information is sent separately from the primary data being transmitted, outside of the bandwidth reserved for transmission of the primary data. Unfortunately, a separate, bandwidth-consuming channel is therefore required for the key synchronization information.
In the case of SONET-based transmission systems, current key synchronization methods provide for the transmission of the key synchronization information in the path overhead portion of the SONET frame, separate from the primary data transmitted in the payload portion of the frame. Unfortunately, the result of such methods is a non-standard use of SONET overhead, which ends up being used on a proprietary basis. This non-standard use of SONET overhead limits both network and equipment interoperability, and in some cases creates the requirement for expensive custom engineering of network connections. Furthermore, the provision of key synchronization information in the SONET path overhead is in effect an unfortunate advertisement of the use of encryption on the payload data.
The background information herein clearly shows that there exists a need in the industry to provide an improved method and system for transmitting signaling information, such as cryptographic key synchronization information, over a data transport network, such as an optical transport network.